CVE-2024-46610 is an access control vulnerability identified in IceCMS version 3.4.7 and earlier. The flaw exists in the ChangeUser function of the UserController.java component, specifically at the /User/ChangeUser/s endpoint. Attackers who have some level of authenticated access can craft POST requests to arbitrarily modify user information, including sensitive fields such as usernames and passwords. This indicates a failure to properly enforce authorization checks before allowing modifications to user data, classified under CWE-284 (Improper Access Control). The vulnerability allows an attacker to potentially escalate privileges or take over other user accounts by changing credentials, severely impacting confidentiality and integrity. The CVSS 3.1 base score is 7.6, with vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L, indicating network attack vector, low attack complexity, requiring privileges and user interaction, with high confidentiality and integrity impact and low availability impact. No public exploits are currently known, but the vulnerability presents a significant risk to organizations using affected IceCMS versions, especially those managing sensitive user data or critical services. The lack of available patches at the time of reporting necessitates immediate mitigation efforts.

The primary impact of CVE-2024-46610 is the unauthorized modification of user credentials and information, which can lead to account takeover and privilege escalation within IceCMS deployments. This compromises the confidentiality and integrity of user data, potentially allowing attackers to impersonate legitimate users or administrators. Such unauthorized access can facilitate further attacks, including data theft, unauthorized content changes, or disruption of services. Although availability impact is low, the breach of trust and control over user accounts can have severe operational and reputational consequences for organizations. Enterprises relying on IceCMS for content management, especially those in sectors like government, finance, healthcare, or critical infrastructure, face increased risk of targeted exploitation. The requirement for some level of authentication and user interaction limits the attack surface but does not eliminate it, as insider threats or compromised accounts could be leveraged. The absence of known exploits in the wild currently provides a window for proactive defense but also underscores the urgency for remediation before exploitation becomes widespread.

To mitigate CVE-2024-46610, organizations should first verify if they are running IceCMS version 3.4.7 or earlier and prioritize upgrading to a fixed version once available. In the absence of an official patch, implement strict access control policies restricting who can access the /User/ChangeUser/s endpoint, ideally limiting it to trusted administrators only. Employ web application firewalls (WAFs) to detect and block suspicious POST requests targeting this endpoint. Conduct thorough audits of user permissions and monitor logs for unusual user modification activities. Enforce multi-factor authentication (MFA) to reduce the risk of compromised credentials being exploited. Additionally, review and harden the application’s authorization logic to ensure proper validation of user privileges before processing sensitive changes. Regularly back up user data and have incident response plans ready to address potential account compromises. Finally, educate users and administrators about the risks of phishing and social engineering that could facilitate exploitation requiring user interaction.